The battle for email privacy

You've got company

Ah, humanity. We are a sneaky species, forever attempting to get a leg up on everyone else in as underhanded a manner as possible. If there's a way to listen in to conversations not meant for us, watch the actions of others furtively, or read someone else's secrets, we do it.

In January, it was reported that a 24-year-old thief in Medellin, Colombia had himself delivered to a wealthy condominium in a parcel. His plan? Wait in the box until it was deposited in the home he wished to ransack, then worm his way out and have his way. Unfortuntely, police suspected a bomb, and started to open the box when ... the lad cut his way out, complaining that he couldn't breathe. Oops.

Last October, Bruce Schneier reported a new technique used by car thieves: precision stripping. Here's how it plays: steal a car. Strip the car down to the chassis. Dump the chassis on the street. Soon enough, the cops tow the chassis away. When the chassis is offered up at a police auction, buy the chassis. Reattach the parts to the chassis. Bingo! You now own - legally - a car that you stole. As Schneier puts it, the VIN (Vehicle Identification Number) has been "laundered".

And now, perhaps the sneakiest technique of all, although I can find no actual stories of anyone using it in the news (if someone knows of one, please send it to me). It seems that cell phones made by Nokia, Motorola, and others have a great new feature: you can make the phone appear to be turned off, then call it and initiate a special mode in which it answers incoming calls and turns on the speaker, allowing you to hear everything uttered in the room in your absence without anyone knowing. Now that is sneaky!

And, I think most of us would agree, pretty creepy, if not close to downright dishonest. Unfortunately, such behavior is easy to find in the online world - just take a look at email.

Most of us have been the victims of the dreaded email "read receipt". You know: "Mr. Duplicitous has requested confirmation that you have received his email." And underneath are two buttons: Yes and No. I don't think I'm alone in always choosing No (unless someone is dumb enough to send such a request to a mailing list, which hopefully results in about a thousand "confirm" messages drowning the jerk in email). In fact, my email program of choice - Kmail - allows me the choice of four settings in the program's preferences: (a) Ignore, (b) Ask, (c) Deny, (d) Always send. Guess which one I've got checked?

Many other email programs have similar options available (unless you're using Outlook to check an account on an Exchange server, in which case you're hosed). These options are a good thing. It's nice that we have some measure of control over our email. And, to be honest, I can see how certain folks, in certain situations, may need to use read receipts (and deleted receipts, and forward receipts, which are sometimes found as well). But for most people, read receipts are annoyances at best, privacy intrusions at worst. But at least they're visible - assuming, of course, that you've haven't set your email program to always send a reply, automatically. It's hard to be unaware of the situation when a big dialog box opens up asking you what you want to do. At that point, you know that someone is trying to track your email behavior.

Bug Off

Read receipts were bad enough, but they weren't good enough for certain Net users, like spammers, so-called "email marketers", and your overly-paranoid boss. For years, while email was still the blessed realm of simple text, these people wailed and gnashed their teeth, awaiting the day when they could begin tracking in earnest. And finally, with the arrival of HTML-based email, their prayers were answered. For now a plague of "Web bugs" swept over the Internet, alerting the spammers, the marketers, and yes, your wacko boss, that you had in fact read their email - and precisely at 2:49:34 p.m. I hope they're happy.

Web bugs, for those of you who don't know about these insidious little beasties, are basically tiny, 1 pixel by 1 pixel, transparent GIF images embedded in HTML emails. When you open the email, a connection is made back to a server requesting the GIF, letting those who sent the email know that you have in fact opened their missive offering you an enlarged body part - or ordering you to work on Saturday. Either way, it's a raw deal.

Web bugs are in far greater use than I think any of us realize. A lot of "companies" offer the "service" - just search Google for "tracking email" and note the ads on the top and right side of the results. In fact, Edward Felten wrote in his blog about one company - DidTheyReadIt (I'm not going to dignify them with a link) - that promises not just to inform users that an email has been read, but also how many times it's read, if it's forwarded, and where geographically the reader is.

Email clients to the rescue, once again. Kmail allows me to go into the program's options and check whether or not I want to allow my email program to "Allow messages to load external references from the Internet". Mozilla Mail and Thunderbird offer "Block loading of remote images in mail messages". Even Outlook 2003 has finally gotten into the act, although the instructions for prior versions of Outlook are crazily complicated and the option is cleverly buried so deep that a bloodhound couldn't find it, but hey. At least it's there.

At least read receipts are visible and obvious. Web bugs are another story. They're insidious, used by people who don't have the guts to stand up and announce themselves. But at least we can block them. Of course, the same people bent on ensnaring us in their own private panopticons won't be satisfied with the defeat of Web bugs. No, the arms race continues, and that brings us to ReadNotify, also discussed by Edward Felten.

They Like to Watch

ReadNotify makes Jeremy Bentham's dreams of surveillance look mild. They allow users of an almost every major email program in use today - Outlook, Outlook Express, Netscape Mail, Eudora, Thunderbird, Pegasus, even Hotmail and Yahoo - to create email that gives the sender an enormous amount of information about the recipient, as they describe on their site (again, no direct link to these guys):

Tracking: find out when email you send gets read, where the reader is located, how long they read it for, if they printed it out, whether they forwarded it to someone else, and much more.

Certify your email: get proof-of-sending and proof-of-opening digitally signed and time-stamped court-admissible receipts.

Self Destructing Email which blocks printing, copy, save, forward, print-screen, can be retracted after sending and deletes itself after being read.

Ensured Receipts guarantee you get a receipt when your email gets opened, and lets you retract your emails after sending.

By the way, that "much more" in the first bullet point is in fact much more. You get maps of the reader's location, her IP address, her email address, referrer details - and everything is also available for anyone who reads the forwarded email as well. Yikes!

Now, you may be thinking, "why not just block this email's Web bugs like we do all the others?" Well, that would be great, if ReadNotify just used Web bugs. Unfortunately, these clever, clever people use another technology in addition to Web bugs: IFRAMEs. If you're a Web developer and you need a brush-up on the IFRAME element, HTMLHelp has a nice piece; if you're not a Web developer, don't worry about it. Just understand that it's far more complicated - and far more effective - than simple transparent GIF images.

(And y'know what's even better? The thoughtful Orwellians at ReadNotify also offer the same tracking service for Word and Excel documents! How sweet of them!)

So how do we defeat ReadNotify's IFRAME trick? The short answer: we can't ... yet. Oh, we can disable HTML-based email. That option is easy to do in Kmail. As I've discussed before, Kmail really does things the right way when it comes to HTML emails:

The default behavior of the email program I prefer - KMail - is to not load external references in messages, such as pictures and Web bugs, and to not display HTML. When an HTML-based email shows up in my Inbox, I see only the HTML code, and a message appears at the top of the email: "This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here." But even after I activate the HTML, certain dynamic elements that can be introduced in an HTML-based email - like Java, Javascript, plugins and even the "refresh" META tag - do not display, and cannot even be enabled in KMail.

The problem is that the vast majority of email clients in use today do not possess Kmail's flexibility. Email programs' treatment of HTML is often more like a light switch: either it's on or it's off. There's no in-between. Clearly, users need to demand safer email programs that give them greater control over message display. I wouldn't hold my breath (remember, it took 'til Outlook 2003 for the program to automatically block Web bugs), but eventually the problem will be fixed. This is an arms race. Every time the technology changes to enable further surveillance, something happens to render that surveillance inoperable ... at least until the next technological change. And so it goes.

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.